What is our primary use case?
I look at the attack analysis, which shows me which attackers try to exploit my vulnerabilities. I can check the ticket to see if it's blocked or whether it's a false positive. Whatever the case, if it already exists, I will block it. McAfee IPS has a benign engine, so this may not be a target in your environment. If you just prevent attackers from using it, they will try another vulnerability.
I have physical routers, but they try to make some novel vulnerabilities. This is not applicable to my environment, so when I see this alert I know it's a false positive not related to my environment. In some cases, I change the action of these alerts or attacks to block. This is what happened in one of the use cases I take advantage of from IPS. I got an alert about some attacks in my environment, regarding the SPAN port and server traffic. I saw it and I detected the source point of this attack.
How has it helped my organization?
It improved my security by stopping an attack to the signature base, or the behavior base. This is what I use Network Security Platform for.
What is most valuable?
The feature I found most valuable is the network threat analyzer in the security platform. It also integrates with GTI, or Global Threat Intelligence. Otherwise, I just use the basic features.
What needs improvement?
Integration with Global Thereat Intelligence could be better. Also, I think management solutions are end of life now at McAfee. Network threat analyzer may be used for endpoint quarantines. Integration between these sides, as well as endpoint APO, will help you quarantine the risky endpoints.
Maybe they should add a feature to block all high severity threats. You cannot block all of them now. I would like to select them all and block then in one action. In crunch data situations, you need to go through every attack one at a time and change the action.
For how long have I used the solution?
We have been using this solution for around two years.
What do I think about the stability of the solution?
It is stable. Network security manager previews might have some bugs, such as compiler or vulnerability issues. I did upgrade two or three times because of these issues. The first time I did it for a services issue. I opened a case with the McAfee support team and they allowed me to upgrade it to another version.
After I upgraded it, I faced a compiler issue. That was with version 184.108.40.206. Maybe this was a bug in the software or something else, but just they recommended for me to upgrade to version 220.127.116.11. That is what I did. Those were the issues I faced with McAfee Network Security Platform.
In terms of high-security attacks, not all of them are developed. You cannot do a rule that includes all high severities. In this aspect, I am confused about McAfee.
What do I think about the scalability of the solution?
It's easy to scale with this solution. After two years of experience, I'm responsible for the Network Security Platform. I think it's easy.
My customers are huge. They are banking size or enterprise. The biggest one has around 5,200 users.
How are customer service and technical support?
If we would rate technical support from one to ten, they would be an eight.
Which solution did I use previously and why did I switch?
I haven't used another product, but we have a built-in feature with Palo Alto. They have a built-in IPS, professional anti-spyware, and anti-virus. That is also the case with FortiGate. It is built in. In terms of standalone network security platforms, I only have experience with McAfee. I know there are some other vendors working as a standalone IPS, like Cisco Sourcefire and Trend Micro TippingPoint, but I don't work with them either. I think the business firewall has a good chance of dealing with any threats without an IPS.
How was the initial setup?
For the initial setup, you should be using the database. Enter the user name and password for these databases. Make a management IP for core components between Network Security Manager and IPS sensor. After you enter the CLI for the setup, there is a wizard view to enter the IP address of the management interface for the IPS sensor. The gateway, manager IP address, and peer manager IP address share secret keys, which should exist in the manager before you set up your IP sensor. After that, you have a left channel and packet channel between IPS sensor and network security manager over port 8501, 8502, and 8503. Another port should be opened for your firewall if there is a firewall or layer three devices between these two components to be managed from Network Security Manager. This is the first general installation of Network Security Manager after making the configurations. This is the initial setup. After that, you will have to try to make the policies: ITS policies, mindware policies, condition limiting policies, firewall policies, and advanced policies. This is what will happen. Then there is also customizing dashboards and tuning.
I worked as a system integrator and deployed it for the customer. Most of these customers are in critical areas, so downtime needs to be low and they might want the deployment time to be improved, but overall the time during all the setup takes me between two and three days.
From my company's side, I work alone to deploy. From the customer side, maybe two or three engineers are involved. Then there might be one or two people to handle maintenance, but McAfee is responsible for their product maintenance most of the time.
What other advice do I have?
Don't be afraid to deploy this solution. It is very simple and easy to deploy. I think there is no issue. I tested on the McAfee Network Security Platform. You just need to thinking carefully about attacks to decide if it's a sole attacker or two specific attacks. Use that information to create a decision about what action to take against the attack. Consider whether you want to lock off or block the action.
Maybe I can improve myself in some of my web analysis. I read articles to improve my knowledge in this area. This is what I do to improve my experience.
I would rate this solution as nine out of ten.
Which deployment model are you using for this solution?
Which version of this solution are you currently using?